CVE-2012-2335
published 2012-05-11CVE-2012-2335: php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and…
PriorityP275high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWVulnCheck KEV
Exploited in the wild
EPSS
32.54%
98.1th percentile
php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by inspecting HTTP query strings that begin with a '+- ' sequence (no '=' character present) targeting PHP-CGI endpoints, as this is the bypass pattern for CVE-2012-2335. ↗
- →Apply mod_rewrite rules to block query strings lacking '=' that contain '-' or '%2d, which covers the CGI argument injection attack surface. ↗
- →Flag or alert on PHP-CGI wrapper scripts that use unquoted '$*' to pass arguments, as this is the root cause of the CVE-2012-2335 bypass (insecure wrapper pattern). ↗
- →Monitor for active exploitation attempts against PHP-CGI; public Metasploit module and honeypot-confirmed in-the-wild exploitation exist for this vulnerability class. ↗
- ·CVE-2012-2335 only affects PHP deployments using CGI mode (php-cgi / php-wrapper.fcgi); the default Apache mod_php configuration is NOT affected. ↗
- ·The vulnerability is in the insecure wrapper script (php-wrapper.fcgi using '$*'), not in PHP itself; PHP 5.3.13 and 5.4.3 mitigate it by skipping leading spaces in the query string, but fixing the wrapper script is the correct remediation. ↗
- ·CVE-2012-2335 is distinct from CVE-2012-2311 (which covers '%3D' bypass of the '=' check) and CVE-2012-2336 (second php_getopt() call not skipped); detection rules should account for all three bypass variants. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat9.8CRITICAL
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ppq5-vhcq-mxw2: php-wrapper
ghsa_unreviewed·2022-05-14
CVE-2012-2335 [HIGH] GHSA-ppq5-vhcq-mxw2: php-wrapper
php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence.
VulnCheck
PHP sapi/cgi/cgi_main.c Component Vulnerability
vulncheck·2012·CVSS 7.5
CVE-2012-2335 [HIGH] PHP sapi/cgi/cgi_main.c Component Vulnerability
PHP sapi/cgi/cgi_main.c Component Vulnerability
php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence.
Affected: PHP PHP
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.bleepingcomputer.com/news/security/linux-and-windows-servers-targeted-with-rubyminer-malware/
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2012-06-19·CVSS 5.0
CVE-2012-0781 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that PHP incorrectly handled certain Tidy::diagnose
operations on invalid objects. A remote attacker could use this flaw to
cause PHP to crash, leading to a denial of service. (CVE-2012-0781)
It was discovered that PHP incorrectly handled certain multi-file upload
filenames. A remote attacker could use this flaw to cause a denial of
service, or to perform a directory traversal attack. (CVE-2012-1172)
Rubin Xu and Joseph Bonneau discovered that PHP incorrectly handled certain
Unicode characters in passwords passed to the crypt() function. A remote
attacker could possibly use this flaw to bypass authentication.
(CVE-2012-2143)
It was discovered that a Debian/Ubuntu specific patch caused PHP
Red Hat
php: command line arguments injection when run in CGI mode (VU#520827)
vendor_redhat·2012-05-03·CVSS 9.8
CVE-2012-1823 [CRITICAL] php: command line arguments injection when run in CGI mode (VU#520827)
php: command line arguments injection when run in CGI mode (VU#520827)
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
Statement: This flaw did not affect the versions of PHP in Red Hat Enterprise Linux 3 or 4. Updates were released for Red Hat Enterprise Linux 5 and 6 (RHSA-2012:0546, RHSA-2012:0547), Red Hat Enterprise Linux 5.3 Long Life (RHSA-2012:0568), Red Hat Enterprise Linux 5.6, 6.0, and 6.1 Extended Update Support (RHSA-2012:0568, RHSA-2012:0569), and Red Hat Appli
Red Hat
php: incomplete CVE-2012-1823 fix - insecure wrapper
vendor_redhat·2012-05-03·CVSS 9.8
CVE-2012-2335 [CRITICAL] php: incomplete CVE-2012-1823 fix - insecure wrapper
php: incomplete CVE-2012-1823 fix - insecure wrapper
php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence.
Statement: The mitigation for CVE-2012-2335 is included in the following PHP updates for Red Hat Enterprise Linux 5 and 6, which also address CVE-2012-2336 (BZ#820708):
https://rhn.redhat.com/errata/RHSA-2012-1045.html
https://rhn.redhat.com/errata/RHSA-2012-1046.html
https://rhn.redhat.com/errata/RHSA-2012-1047.html
Package: php (Red Hat Enterprise Linux 4) - Not affected
Package: php (Red Hat Enterprise Linux 5) - Affected
Pac
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-2335 php: incomplete CVE-2012-1823 fix - insecure wrapper
bugzilla·2012-05-11·CVSS 9.8
CVE-2012-2335 [CRITICAL] CVE-2012-2335 php: incomplete CVE-2012-1823 fix - insecure wrapper
CVE-2012-2335 php: incomplete CVE-2012-1823 fix - insecure wrapper
A CVE-2012-1823 was assigned to a PHP-CGI flaw that could allow remote attackers to execute arbitrary code by injecting php-cgi command line arguments via specially crafted query string. Refer to bug #818607 for details about this flaw.
The released fix for this issue was reported to be incomplete and can be bypassed by prefixing the query string with spaces (e.g. ?+-s). However, that problem only affected configurations where insecure wrapper script similar to the one pointed out in the CVE-2012-1823 reporter's blog post:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.php.net/archive/2012.php#id2012-05-06-1
http://wiki.dreamhost.com/PHP.ini#Create_the_script_wrapper
While this problem is not a
Bugzilla
CVE-2012-2311 php: incomplete CVE-2012-1823 fix - incorrect check for =
bugzilla·2012-05-04·CVSS 9.8
CVE-2012-2311 [CRITICAL] CVE-2012-2311 php: incomplete CVE-2012-1823 fix - incorrect check for =
CVE-2012-2311 php: incomplete CVE-2012-1823 fix - incorrect check for =
It was discovered that the fix that was applied in PHP versions 5.3.12 and 5.4.2 to address CVE-2012-1823 (bug #818607) was incomplete and did not resolved the problem. A remote attacker could still use this flaw to remotely execute arbitrary code on the servers using affected PHP CGI configurations.
The problem was noted in the blog post of the CVE-2012-1823 issue reporter:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
UPDATE3: The new PHP release is buggy. You can use their workaround, but
the new releases and their patch do not fix the issue. Use our
mitigations for now.
[...]
UPDATE5: We have received word that new PHP updates with the revised fix
will be released soon. The issue that this prob
Bugzilla
CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827)
bugzilla·2012-05-03·CVSS 9.8
CVE-2012-1823 [CRITICAL] CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827)
CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827)
A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter.
References:
https://bugs.php.net/bug.php?id=61910
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://ompldr.org/vZGxxaQ
Discussion:
PHP 5.3.12 and 5.4.2 are released to correct this:
http://www.php.net/archive/2012.php#id2012-05-03-1
They also note the mitigation/workaround
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/http://git.php.net/?p=php-src.git%3Ba=blob%3Bf=sapi/cgi/cgi_main.c%3Bh=a7ac26f0#l1569http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-07/msg00003.htmlhttp://secunia.com/advisories/49014http://www.kb.cert.org/vuls/id/520827http://www.php.net/archive/2012.php#id2012-05-06-1https://bugs.php.net/bug.php?id=61910https://exchange.xforce.ibmcloud.com/vulnerabilities/75652https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/http://git.php.net/?p=php-src.git%3Ba=blob%3Bf=sapi/cgi/cgi_main.c%3Bh=a7ac26f0#l1569http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-07/msg00003.htmlhttp://secunia.com/advisories/49014http://www.kb.cert.org/vuls/id/520827http://www.php.net/archive/2012.php#id2012-05-06-1https://bugs.php.net/bug.php?id=61910https://exchange.xforce.ibmcloud.com/vulnerabilities/75652https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
2012-05-11
Published
Exploited in the wild